Fortinet black logo

FortiOS Log Message Reference

Enabling extended logging

Enabling extended logging

You can enable extended logging for the following UTM profiles:

  • antivirus
  • application
  • dlp
  • ips
  • waf
  • webfilter

When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles

The extended-log option has been added to all UTM profiles, for example:

# webfilter profile

config webfilter profile

edit "test-webfilter"

set extended-log enable

set web-extended-all-action-log enable

next

end

# av profile

config antivirus profile

edit "av-proxy-test"

set extended-log enable

next

end

# waf profile

config waf profile

edit "test-waf"

set extended-log enable

next

end

Syslog server mode

The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

config log syslogd setting

set status enable

set server "<ip address>"

set mode reliable

set facility local6

end

Example of an extended log

Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

Dec 18 15:40:15 10.6.30.254 date=2017-12-18 time=15:40:14 devname="600D-9" devid="FGT6HD3915800120" logid="0316013056" type="utm"subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1513640414 policyid=2 sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2" srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1" dstintfrole="wan" proto=6 service="HTTP" hostname="detectportal.firefox.com" profile="test-webfilter" action="blocked" reqtype="direct" url="/success.txt" sentbyte=285 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high" rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0"

Enabling extended logging

You can enable extended logging for the following UTM profiles:

  • antivirus
  • application
  • dlp
  • ips
  • waf
  • webfilter

When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles

The extended-log option has been added to all UTM profiles, for example:

# webfilter profile

config webfilter profile

edit "test-webfilter"

set extended-log enable

set web-extended-all-action-log enable

next

end

# av profile

config antivirus profile

edit "av-proxy-test"

set extended-log enable

next

end

# waf profile

config waf profile

edit "test-waf"

set extended-log enable

next

end

Syslog server mode

The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

config log syslogd setting

set status enable

set server "<ip address>"

set mode reliable

set facility local6

end

Example of an extended log

Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

Dec 18 15:40:15 10.6.30.254 date=2017-12-18 time=15:40:14 devname="600D-9" devid="FGT6HD3915800120" logid="0316013056" type="utm"subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1513640414 policyid=2 sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2" srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1" dstintfrole="wan" proto=6 service="HTTP" hostname="detectportal.firefox.com" profile="test-webfilter" action="blocked" reqtype="direct" url="/success.txt" sentbyte=285 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high" rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0"